|
|
5ade8a |
From 307e5f2ebd28d54a2db03b1f112cc7859fc8ae55 Mon Sep 17 00:00:00 2001
|
|
|
5ade8a |
From: Armin Novak <armin.novak@thincast.com>
|
|
|
5ade8a |
Date: Wed, 3 Nov 2021 15:42:26 +0100
|
|
|
5ade8a |
Subject: [PATCH] Add checks for bitmap and glyph width/heigth values
|
|
|
5ade8a |
|
|
|
5ade8a |
CVE-2021-41160
|
|
|
5ade8a |
|
|
|
5ade8a |
https://github.com/FreeRDP/FreeRDP/pull/7349
|
|
|
5ade8a |
|
|
|
5ade8a |
Signed-off-by: Felipe Borges <feborges@redhat.com>
|
|
|
5ade8a |
---
|
|
|
5ade8a |
libfreerdp/core/orders.c | 14 ++++++++++++
|
|
|
5ade8a |
libfreerdp/core/surface.c | 45 +++++++++++++++++++++++++++++++++++++++
|
|
|
5ade8a |
libfreerdp/core/update.c | 7 ++++++
|
|
|
5ade8a |
3 files changed, 66 insertions(+)
|
|
|
5ade8a |
|
|
|
5ade8a |
diff --git a/libfreerdp/core/orders.c b/libfreerdp/core/orders.c
|
|
|
5ade8a |
index e053bd480..3b1b1bc45 100644
|
|
|
5ade8a |
--- a/libfreerdp/core/orders.c
|
|
|
5ade8a |
+++ b/libfreerdp/core/orders.c
|
|
|
5ade8a |
@@ -1742,6 +1742,13 @@ static BOOL update_read_fast_glyph_order(wStream* s, const ORDER_INFO* orderInfo
|
|
|
5ade8a |
if (fastGlyph->cbData < new_cb)
|
|
|
5ade8a |
return FALSE;
|
|
|
5ade8a |
|
|
|
5ade8a |
+ if ((glyph->cx == 0) || (glyph->cy == 0))
|
|
|
5ade8a |
+ {
|
|
|
5ade8a |
+ WLog_ERR(TAG, "GLYPH_DATA_V2::cx=%" PRIu32 ", GLYPH_DATA_V2::cy=%" PRIu32,
|
|
|
5ade8a |
+ glyph->cx, glyph->cy);
|
|
|
5ade8a |
+ return FALSE;
|
|
|
5ade8a |
+ }
|
|
|
5ade8a |
+
|
|
|
5ade8a |
if (new_cb > 0)
|
|
|
5ade8a |
{
|
|
|
5ade8a |
BYTE* new_aj;
|
|
|
5ade8a |
@@ -2700,6 +2707,13 @@ update_read_create_offscreen_bitmap_order(wStream* s,
|
|
|
5ade8a |
Stream_Read_UINT16(s, create_offscreen_bitmap->cy); /* cy (2 bytes) */
|
|
|
5ade8a |
deleteList = &(create_offscreen_bitmap->deleteList);
|
|
|
5ade8a |
|
|
|
5ade8a |
+ if ((create_offscreen_bitmap->cx == 0) || (create_offscreen_bitmap->cy == 0))
|
|
|
5ade8a |
+ {
|
|
|
5ade8a |
+ WLog_ERR(TAG, "Invalid OFFSCREEN_DELETE_LIST: cx=%" PRIu16 ", cy=%" PRIu16,
|
|
|
5ade8a |
+ create_offscreen_bitmap->cx, create_offscreen_bitmap->cy);
|
|
|
5ade8a |
+ return FALSE;
|
|
|
5ade8a |
+ }
|
|
|
5ade8a |
+
|
|
|
5ade8a |
if (deleteListPresent)
|
|
|
5ade8a |
{
|
|
|
5ade8a |
UINT32 i;
|
|
|
5ade8a |
diff --git a/libfreerdp/core/surface.c b/libfreerdp/core/surface.c
|
|
|
5ade8a |
index d5c709885..ca89d230c 100644
|
|
|
5ade8a |
--- a/libfreerdp/core/surface.c
|
|
|
5ade8a |
+++ b/libfreerdp/core/surface.c
|
|
|
5ade8a |
@@ -21,6 +21,8 @@
|
|
|
5ade8a |
#include "config.h"
|
|
|
5ade8a |
#endif
|
|
|
5ade8a |
|
|
|
5ade8a |
+#include <assert.h>
|
|
|
5ade8a |
+
|
|
|
5ade8a |
#include <freerdp/utils/pcap.h>
|
|
|
5ade8a |
#include <freerdp/log.h>
|
|
|
5ade8a |
|
|
|
5ade8a |
@@ -62,6 +64,13 @@ static BOOL update_recv_surfcmd_bitmap_ex(wStream* s, TS_BITMAP_DATA_EX* bmp)
|
|
|
5ade8a |
Stream_Read_UINT16(s, bmp->height);
|
|
|
5ade8a |
Stream_Read_UINT32(s, bmp->bitmapDataLength);
|
|
|
5ade8a |
|
|
|
5ade8a |
+ if ((bmp->width == 0) || (bmp->height == 0))
|
|
|
5ade8a |
+ {
|
|
|
5ade8a |
+ WLog_ERR(TAG, "invalid size value width=%" PRIu16 ", height=%" PRIu16, bmp->width,
|
|
|
5ade8a |
+ bmp->height);
|
|
|
5ade8a |
+ return FALSE;
|
|
|
5ade8a |
+ }
|
|
|
5ade8a |
+
|
|
|
5ade8a |
if ((bmp->bpp < 1) || (bmp->bpp > 32))
|
|
|
5ade8a |
{
|
|
|
5ade8a |
WLog_ERR(TAG, "invalid bpp value %" PRIu32 "", bmp->bpp);
|
|
|
5ade8a |
@@ -85,6 +94,39 @@ static BOOL update_recv_surfcmd_bitmap_ex(wStream* s, TS_BITMAP_DATA_EX* bmp)
|
|
|
5ade8a |
return TRUE;
|
|
|
5ade8a |
}
|
|
|
5ade8a |
|
|
|
5ade8a |
+static BOOL update_recv_surfcmd_is_rect_valid(const rdpContext* context,
|
|
|
5ade8a |
+ const SURFACE_BITS_COMMAND* cmd)
|
|
|
5ade8a |
+{
|
|
|
5ade8a |
+ assert(context);
|
|
|
5ade8a |
+ assert(context->settings);
|
|
|
5ade8a |
+ assert(cmd);
|
|
|
5ade8a |
+
|
|
|
5ade8a |
+ /* We need a rectangle with left/top being smaller than right/bottom.
|
|
|
5ade8a |
+ * Also do not allow empty rectangles. */
|
|
|
5ade8a |
+ if ((cmd->destTop >= cmd->destBottom) || (cmd->destLeft >= cmd->destRight))
|
|
|
5ade8a |
+ {
|
|
|
5ade8a |
+ WLog_WARN(TAG,
|
|
|
5ade8a |
+ "Empty surface bits command rectangle: %" PRIu16 "x%" PRIu16 "-%" PRIu16
|
|
|
5ade8a |
+ "x%" PRIu16,
|
|
|
5ade8a |
+ cmd->destLeft, cmd->destTop, cmd->destRight, cmd->destBottom);
|
|
|
5ade8a |
+ return FALSE;
|
|
|
5ade8a |
+ }
|
|
|
5ade8a |
+
|
|
|
5ade8a |
+ /* The rectangle needs to fit into our session size */
|
|
|
5ade8a |
+ if ((cmd->destRight > context->settings->DesktopWidth) ||
|
|
|
5ade8a |
+ (cmd->destBottom > context->settings->DesktopHeight))
|
|
|
5ade8a |
+ {
|
|
|
5ade8a |
+ WLog_WARN(TAG,
|
|
|
5ade8a |
+ "Invalid surface bits command rectangle: %" PRIu16 "x%" PRIu16 "-%" PRIu16
|
|
|
5ade8a |
+ "x%" PRIu16 " does not fit %" PRIu32 "x%" PRIu32,
|
|
|
5ade8a |
+ cmd->destLeft, cmd->destTop, cmd->destRight, cmd->destBottom,
|
|
|
5ade8a |
+ context->settings->DesktopWidth, context->settings->DesktopHeight);
|
|
|
5ade8a |
+ return FALSE;
|
|
|
5ade8a |
+ }
|
|
|
5ade8a |
+
|
|
|
5ade8a |
+ return TRUE;
|
|
|
5ade8a |
+}
|
|
|
5ade8a |
+
|
|
|
5ade8a |
static BOOL update_recv_surfcmd_surface_bits(rdpUpdate* update, wStream* s, UINT16 cmdType)
|
|
|
5ade8a |
{
|
|
|
5ade8a |
SURFACE_BITS_COMMAND cmd = { 0 };
|
|
|
5ade8a |
@@ -98,6 +140,9 @@ static BOOL update_recv_surfcmd_surface_bits(rdpUpdate* update, wStream* s, UINT
|
|
|
5ade8a |
Stream_Read_UINT16(s, cmd.destRight);
|
|
|
5ade8a |
Stream_Read_UINT16(s, cmd.destBottom);
|
|
|
5ade8a |
|
|
|
5ade8a |
+ if (!update_recv_surfcmd_is_rect_valid(update->context, &cmd))
|
|
|
5ade8a |
+ goto fail;
|
|
|
5ade8a |
+
|
|
|
5ade8a |
if (!update_recv_surfcmd_bitmap_ex(s, &cmd.bmp))
|
|
|
5ade8a |
goto fail;
|
|
|
5ade8a |
|
|
|
5ade8a |
diff --git a/libfreerdp/core/update.c b/libfreerdp/core/update.c
|
|
|
5ade8a |
index aac58819f..d07fa4eab 100644
|
|
|
5ade8a |
--- a/libfreerdp/core/update.c
|
|
|
5ade8a |
+++ b/libfreerdp/core/update.c
|
|
|
5ade8a |
@@ -99,6 +99,13 @@ static BOOL update_read_bitmap_data(rdpUpdate* update, wStream* s, BITMAP_DATA*
|
|
|
5ade8a |
Stream_Read_UINT16(s, bitmapData->flags);
|
|
|
5ade8a |
Stream_Read_UINT16(s, bitmapData->bitmapLength);
|
|
|
5ade8a |
|
|
|
5ade8a |
+ if ((bitmapData->width == 0) || (bitmapData->height == 0))
|
|
|
5ade8a |
+ {
|
|
|
5ade8a |
+ WLog_ERR(TAG, "Invalid BITMAP_DATA: width=%" PRIu16 ", height=%" PRIu16, bitmapData->width,
|
|
|
5ade8a |
+ bitmapData->height);
|
|
|
5ade8a |
+ return FALSE;
|
|
|
5ade8a |
+ }
|
|
|
5ade8a |
+
|
|
|
5ade8a |
if (bitmapData->flags & BITMAP_COMPRESSION)
|
|
|
5ade8a |
{
|
|
|
5ade8a |
if (!(bitmapData->flags & NO_BITMAP_COMPRESSION_HDR))
|
|
|
5ade8a |
--
|
|
|
5ade8a |
2.32.0
|
|
|
5ade8a |
|